Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Coding
v0.1.0Design database structures from given data, create backend APIs using the specified endpoint, and develop dynamic HTML dashboards with 60-second polling for...
⭐ 0· 796·2 current·2 all-time
byYuPeng Wu@realroc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to design DB structures, create DB objects, insert data, and build backend APIs/dashboards — that purpose would normally require database credentials, a DB client/tool, and/or deployment hooks. None of those are declared in the metadata (no required env vars, no required binaries, no install spec). This mismatch suggests missing or undocumented requirements.
Instruction Scope
SKILL.md instructs the agent to call a specific external endpoint (https://teamo-dev.floatai.cn/api/engine/generalDataApi) and to insert received data into a created database. It also references template variables like $SESSION_GROUP_ID$ and ${表名} without declaring them. The instructions therefore direct network traffic to an external host and require modifying a database, but they do not state how to authenticate, which DB to use, or what local/remote tools to run.
Install Mechanism
There is no install spec and no code files (instruction-only). This is lower risk from an installation/execution perspective because nothing is downloaded or written by the skill itself.
Credentials
No environment variables or credentials are listed, yet the instructions require $SESSION_GROUP_ID$ and implicit DB credentials or access tokens. Either the runtime environment must supply these undocumented secrets, or the skill cannot function. This is a proportionality and transparency problem and raises a risk that sensitive data might be sent to the external endpoint without clear declaration.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not declare any actions that would modify other skills or global agent configs. Autonomous invocation is allowed by default, but that alone is not flagged.
What to consider before installing
Before installing or enabling this skill, get these clarifications from the author: (1) Which database type and where is it hosted? Provide the exact required environment variables (DB host/URL, DB_USER, DB_PASSWORD or a service token) and explain how the agent should obtain them. (2) What tool or API will be used to create DB structures? If a CLI or cloud API is required, add it to required binaries or install steps. (3) What is $SESSION_GROUP_ID$ and where does it come from? Declare it as an env var if it's sensitive. (4) Confirm whether data will be sent to https://teamo-dev.floatai.cn and provide an explanation of that endpoint, expected authentication, and privacy/ownership of sent data. (5) If you plan to allow autonomous runs, restrict credentials to least privilege, audit network requests, and avoid giving broad DB admin credentials. Do not supply secrets until these items are answered; if you must proceed, run the skill in an isolated environment and monitor outgoing network traffic.Like a lobster shell, security has layers — review code before you run it.
latestvk977tbjf268mt4xh1wqzgf798d8175n2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.